New Standards Aim to Protect Medical Patients from the ‘Internet of Things’

Cybersecurity in healthcare may finally be getting its overdue visit to the doctor’s office.

The National Institute of Standards and Technology (NIST) is developing new cybersecurity guidance for integrating medical devices into clinical environments, moving away from an approach that had applied ill-fitting IT cybersecurity standards to non-IT products. Securing digitally connected devices will require assessing risks unique to different use cases, adding specificity to securing vital systems.

IoT Devices Support Patient Care But Introduce Risk

NIST’s new work on connected medical devices is part of its larger effort to refine and improve guidance for all interconnected digital systems, especially devices referred to as “Internet of Things” (IOT) devices — objects with embedded technology that allow information exchange with other devices on networks, like wearable health monitors and sensors.

Not all medical devices are internet-connected. IoT medical devices represent a subset of equipment that is digitally connected to hospital networks and exchanging data with other systems. Hospitals, however, increasingly rely on many digitally connected systems to operate, whether to access patient records and medication history, transport resources throughout buildings, or communicate throughout the hospital.

Advanced technology in medical devices act as force multipliers for hospitals and care centers — enabling continued care despite increasing healthcare workforce shortages. However, these devices also introduce risk. Each network-connected device represents an additional attack vector for malicious actors looking to make a buck or disrupt operations.

Attackers Exploit Cybersecurity Gaps in Healthcare

In 2025, healthcare-related ransomware attacks grew by 30 percent. A February 2026 attack on the University of Mississippi Medical Center, for example, closed clinics across the state, causing delays in chemotherapy treatments and slowdowns at treatment centers as staff were forced to resort to paper documentation for patients.

IoT devices are an exploitable entry point to bring the interconnected device networks at care centers to a halt. In February 2023, a ransomware attack against Lehigh Valley Health Network caused delays in care. Attackers targeted medical imaging systems that were particularly vulnerable because they run legacy operating systems and are connected to multiple clinical networks. Delays like this put patients’ lives in danger. NIST’s updated guidance on IoT devices will help practitioners understand the risks associated with highly connected devices.

Chinese-manufactured healthcare technology equipment can pose an even greater risk to patients due to baked-in vulnerabilities. Based on the findings of independent researchers, the U.S. government warned last year that Chinese-made patient monitors in America were sending sensitive data back to internet locations in China. The devices contained embedded backdoors that malicious actors could use to alter patient data — threatening not only data privacy, but also patient care if physicians used corrupted data to make medical decisions.

Congressional Action Can Support NIST and Other Government Efforts

The federal government is starting to help protect patients from these types of risks. In June 2025, the Food and Drug Administration finalized guidance for securing American medical devices. In late 2025, the Department of Commerce’s Bureau of Industry and Security solicited public comment for their investigation into the national security implications of imported medical equipment, which spanned both connected and non-connected devices.

NIST’s research can continue to inform these and future efforts. Congress should leverage NIST research and other efforts to prohibit the government from procuring potentially risky medical devices, especially those produced by adversarial nations like China that connect to device networks. Doing so will lead to greater security not just for the devices themselves but for the American public.

Sophie McDowall is a research associate for the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Thomas Gormley is an intern. For more analysis from the authors and FDD, subscribe HERE. Follow Sophie on X @SophieMcDowall_. Follow FDD on X @FDDand @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.